DNS Handling in Transparent App Proxy

HI,


I would like to capture all the DNS requests in my Transparent App Proxy on macOS 10.15.4.


First I tried different combinations but no luck:


1 NENetworkRule *includeRule3 = [[NENetworkRule alloc] initWithDestinationNetwork:[NWHostEndpoint endpointWithHostname:@"" port:@"53"] prefix: 0 protocol:NENetworkRuleProtocolAny];


It captures all TCP/UDP traffic along with DNS


2. NENetworkRule *includeRule = [[NENetworkRule alloc] initWithDestinationNetwork:[NWHostEndpoint endpointWithHostname:@"0.0.0.0" port:@"53"] prefix: 0 protocol:NENetworkRuleProtocolAny];


It does not capture anything.


3. NENetworkRule *includeRule = [[NENetworkRule alloc] initWithDestinationHost:[NWHostEndpoint endpointWithHostname:@"" port:@"53"] protocol:NENetworkRuleProtocolAny];


It also captures all TCP/UDP traffic along with DNS


4. I setup DNS resolver:

NSString *dnsServerIP = @"10.0.0.10";

NSArray<NSString *> *dnsServerList = [NSArray arrayWithObjects: dnsServerIP, nil];

NEDNSSettings *dnsSettings = [[NEDNSSettings alloc] initWithServers: dnsServerList];


NSString* TLD1 = @"com";

NSString* TLD2 = @"in";

NSArray<NSString *> *dnsMatchDomainList = [NSArray arrayWithObjects: TLD1, TLD2, nil];

dnsSettings.matchDomains = dnsMatchDomainList;

dnsSettings.domainName = @"gp.com";

settings.DNSSettings = dnsSettings;


I also setup Filter rule to capture DNS server IP address "10.0.0.10".


NENetworkRule *includeRule = [[NENetworkRule alloc] initWithDestinationNetwork:[NWHostEndpoint endpointWithHostname:@"10.0.0.10" port:@"53"] prefix: 8 protocol:NENetworkRuleProtocolAny];


No DNS request is captured.

scutil --dns shows DNS resolver:

DNS configuration (for service-specific queries)

resolver #1

nameserver[0] : fe80::1

nameserver[1] : 10.0.0.10

service_identifier : 1

flags : Service-specific, Supplemental, Request A records, Request AAAA records


Still DNS request is not received to Transparent App Proxy.


Could you please help to get the right way to receive all the DNS requests to my Transparent App Proxy?


Regards,

Anand Choubey

Replies

Are you using NEDNSProxyProvider or NEAppProxyProvider? If you are using an App Proxy Provider Network Extension and are wanting to caputre DNS traffic, their is a specific network extension that does this.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thanks!


I am using NEAppProxyProvider, As per the documentation NEAppProxyProvider "DNS Handling": "The App Proxy Provider can specify the DNS resolver configuration that will be used by these applications using the...."


https://developer.apple.com/documentation/networkextension/neappproxyprovider?language=objc


Could you please help me understand how to make a DNS resolver with NEAppProxyProvider as per the above documentation?


Can NEAppProxyProvider receive a DNS request using any filter or DNS resolver?


Regards,

Anand Choubey

Anand,


Yes. It looks like you have setup a NEDNSSettings object already. Have you tried using this with your NETunnelNetworkSettings? Also, did you setup the NEAppProxyUDPFlow to receive the DNS flows?


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thanks Matt!


Yes, I set up DNS resolver and configures following rule to capture all DNS request whose TLD (Top level domain) is "com".

NENetworkRule *includeRule2 = [[NENetworkRule alloc] initWithDestinationHost:[NWHostEndpoint endpointWithHostname:@"*.com" port:@"53"] protocol:NENetworkRuleProtocolAny];

And handleNewUDPFlow is implemented too.


Now all the DNS requests whose TLD is com, is received by my App proxy code. dig command request is NOT recieved. Any recommendation, how to receive the "dig" dns request.


It looks like w/o adding TLD, my app proxy does not receive any DNS request.


I would like to capture all the out going DNS request in my Transparent app proxy without configuring TLDs. TLDs are in hundreds. Maintaining and Adding individual TLDs is difficult job and it may impact negatively overall performance of the system.


Can it be done without adding Top level domains in filter rules?


Regards,

Anand Choubey

Great, looks like you are makin progress.

| Now all the DNS requests whose TLD is com, is received by my App proxy code.


dig commands might be using an interface for resolution that is not captured by your proxy provider.

| dig command request is NOT recieved. Any recommendation, how to receive the "dig" dns

| request.



Are you trying to capture and proxy all DNS traffic on your device? If you are you may want to take a look at using NEDNSProxyProvider.


Matt Eaton

DTS Engineering, CoreOS

meaton3 at apple.com

Thanks Matt!